Study: Storm botnet brought in daily profits of up to $9,500

It's common knowledge that spam response rates are low, but new research, …

The investigation of spam and the malware payloads that accompany it is a major focus of companies and organizations, from the federal government down to the small-business part-time IT director. Most of this work, however, is devoted to detecting and filtering spam (infected or otherwise), as well as to predicting what delivery vectors the industry might favor in the future. Actual data on the spam industry's economic model is much harder to come by—at least it used to be. Earlier this year, a group of researchers led by University of California-San Diego computer scientist Stefan Savage conducted research on the market fundamentals of the spam industry, from within the industry itself.

In order to conduct their research, Savage's team took partial control of part of the Storm Worm's massive botnet. A certain subset of the botnet's traffic was then rerouted, and delivered interested potential buyers to a web site under white hat control. Savage's websites mimicked those set up by the creators of Storm, but were specifically designed to return error messages if a visitor attempted to transmit any sensitive information or conduct a transaction. The team discovered three separate campaigns through the duration of their tests and analyzed some 469 million e-mails. Full details on the investigation, including a discussion of how the researchers infiltrated Storm and a very specific breakdown of what they found, is available here (PDF).

A visual representation of Storm's structure. Savage's group infiltrated
the C&C channel between proxy servers and workers

Savage and his team ultimately controlled 75,869 worker bots, with a maximum of 539 bots connected to the group's proxy servers at any one time. 78 percent of the bots only contacted the team's proxy servers once. 14 percent on the bots connected twice, and seven percent of the bots connected three to five times. Only one percent of the infected machines communicated five times, which underlines just how quickly individual systems are cleansed and taken off the network. One notable exception was an academic network in North Carolina that connected 269 times, and turned out to be an access hub for 19 individuals, which still works out to a bit over 14 connections per person.

If you've ever despaired of teaching your friends/family/coworkers not to open or respond to spam, the researchers' findings might make your day. After sending some 350 million e-mail messages over 26 days, Savage and his team had "sold" just 28 "male enhancement" products for just under $100 each. This works out to a conversion rate that's described as "well under" 0.00001 percent. Total revenue for the period would have been $2,731.88, a bit over $100 a day. That's chump change by corporate standards, and it's why the spam industry relies on truly massive campaigns the way it does. By the scientists' estimates, they controlled just 1.5 percent of the total Storm network. Extrapolate their earnings against Storm's actual size, and the botnet may have been raking in as much as $7,000 a day ($9,500 if we only count the days Storm was actively conducting a campaign). For the curious, that works out to some $3.5 million in revenue per year.

The researchers admit their work constitutes just one data point in what they hope will be an ongoing investigation, but believe the information they gathered is generally representative of botnet profit margins. If it is, it suggests that spammers may be extremely sensitive to costs—more so than was previously believed. Even a small increase in the cost of sending an e-mail, they postulate, could have significant ramifications for the botnet industry, and might slow the rate at which it grows or put some spam operations out of business altogether.